FortiGate SSO Bug Remains Exploitable After December Patch, Attackers Actively Bypassing Fix

Fortinet has admitted that a critical single sign-on (SSO) authentication flaw in its FortiGate firewalls remains exploitable despite a patch released in December 2025. The vendor confirmed that attackers are actively using a new attack path to bypass the supposed fix, with customers reporting suspicious login activity on devices that were fully up to date.

The vulnerability centers on SAML-based SSO authentication in FortiOS. While Fortinet initially addressed the issue in December, the company now acknowledges that the patch did not fully remediate the problem. In a new advisory, Fortinet's chief information security officer Carl Windsor stated that the company had identified a fresh exploit method being used to abuse SSO authentication, even on systems that had already applied the earlier fix.

What Happened

The issue first came to light earlier this week when security firm Arctic Wolf reported that FortiGate firewalls were being silently reconfigured through compromised SSO accounts. Attackers were altering firewall settings, creating backdoor administrator accounts, and exfiltrating configuration files—all without triggering obvious security alerts.

Arctic Wolf's investigation revealed that the campaign began around January 15, 2026, with attackers demonstrating highly automated behavior. The security firm noted that the attackers were spinning up VPN-enabled accounts and extracting firewall configuration files in a matter of seconds, suggesting automated tooling rather than manual, hands-on-keyboard attacks.

The activity closely mirrored incidents observed in December following Fortinet's initial disclosure of the SSO authentication bypass flaw. However, the new wave of attacks has proven more concerning because they are succeeding even on systems that had applied the December patch.

"Recently, a small number of customers reported unexpected login activity occurring on their devices, which appeared very similar to the previous issue," Windsor said. "However, in the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path."

The Legal and Regulatory Context

This vulnerability carries significant implications under data protection regulations. Under the General Data Protection Regulation (GDPR), organizations using FortiGate firewalls with SSO functionality could face substantial penalties if personal data is compromised through this exploit. GDPR Article 32 requires appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.

Similarly, under the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), organizations could face enforcement actions if they fail to implement reasonable security procedures and practices to protect consumer data. The CCPA allows for statutory damages of $100 to $750 per consumer per incident in the event of a data breach, which could add up quickly for organizations with large user bases.

The vulnerability also raises questions about compliance with the NIST Cybersecurity Framework and other industry standards that require timely patching and vulnerability management. Organizations that have applied the December patch in good faith may now find themselves still vulnerable, complicating their compliance posture.

Impact on Users and Companies

The immediate impact is significant for organizations relying on FortiGate firewalls with SSO authentication. The exploit allows attackers to:

1. Gain unauthorized access to firewall management interfaces through compromised SSO accounts
2. Modify firewall configurations to weaken security controls or create persistent access
3. Create backdoor administrator accounts that remain undetected
4. Exfiltrate configuration files that may contain sensitive network information
5. Potentially pivot to other systems within the network

The silent nature of these attacks is particularly concerning. Unlike traditional exploits that might trigger obvious security alerts, this vulnerability allows attackers to operate without detection, making it difficult for security teams to identify compromised systems.

For Fortinet, the repeated failure to properly patch the vulnerability damages customer trust and raises questions about the company's security practices. The vendor has now acknowledged two separate zero-day vulnerabilities within a week, including a "make-me-admin" bug that was also under active exploitation.

Technical Details and Scope

While Fortinet has not yet published technical details of the alternate attack path, the company confirmed that the underlying weakness is not limited to FortiCloud SSO. "It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations," Windsor stated.

This broad scope means that any organization using SAML-based SSO authentication with FortiOS could be vulnerable, regardless of whether they use FortiCloud or another identity provider. The vulnerability appears to be in the SAML authentication implementation itself, rather than a specific integration with FortiCloud.

The fact that attackers have successfully exploited systems that had applied the December patch suggests that the original fix was incomplete or that the vulnerability is more complex than initially understood. This is not uncommon with authentication vulnerabilities, which often involve multiple components and interaction points.

What Changes

Fortinet is currently working on a new fix to remediate the issue. The company has stated that an advisory will be issued once the fix scope and timeline are available. However, no specific timeline has been provided for when customers can expect a working patch.

In the meantime, Fortinet has issued several recommendations for customers:

1. Review authentication logs for any unexpected login activity
2. Restrict exposure of the management interface to minimize attack surface
3. Closely monitor changes to administrator accounts for unauthorized modifications

These are standard security practices, but they become particularly important when a known vulnerability is being actively exploited in the wild. Organizations should also consider implementing additional monitoring for SSO authentication events and reviewing their firewall configurations for any unauthorized changes.

Broader Implications

This incident highlights several concerning trends in enterprise security:

Patch reliability: Organizations rely on vendors to provide effective patches for critical vulnerabilities. When patches fail to fully address issues, it undermines trust and leaves customers exposed.

Complexity of modern security appliances: As security devices like firewalls become more complex, incorporating features like SSO authentication, they introduce new attack surfaces. The trade-off between functionality and security is becoming increasingly difficult to manage.

Automation of attacks: The rapid, automated nature of these attacks suggests that threat actors are developing sophisticated tooling to exploit known vulnerabilities at scale. This makes timely patching even more critical.

Supply chain security: Organizations using FortiGate firewalls are effectively trusting Fortinet's security practices. When those practices fail, it creates a supply chain vulnerability that affects all customers.

Recommendations for Organizations

While waiting for an official patch from Fortinet, organizations should:

1. Implement temporary workarounds: Consider disabling SSO authentication if possible, or implementing additional authentication factors for SSO logins
2. Enhance monitoring: Deploy additional monitoring for firewall configuration changes and SSO authentication events
3. Review access controls: Ensure that only necessary personnel have access to firewall management interfaces
4. Prepare incident response: Develop or review incident response plans specifically for firewall compromise scenarios
5. Communicate with stakeholders: Inform relevant stakeholders about the vulnerability and the organization's response

Looking Ahead

Fortinet's repeated failure to properly patch this vulnerability raises questions about the company's security development and testing processes. Customers will be looking for:

• A detailed explanation of why the December patch failed
• Technical details about the new attack path
• A comprehensive fix that addresses all known variants of the vulnerability
• Improved processes for vulnerability disclosure and patch development

The incident also serves as a reminder that no security product is immune to vulnerabilities, and that organizations must maintain defense-in-depth strategies rather than relying solely on perimeter security devices.

As Fortinet works on the new fix, the security community will be watching closely to see if this patch finally closes the door on this critical vulnerability. For now, organizations using FortiGate firewalls with SSO authentication remain in a precarious position, balancing the need for operational continuity against the risk of compromise.

Featured image: Shutterstock

---

This article was updated on January 23, 2026, to include additional context about regulatory implications and organizational recommendations.